Setting Up Red Hat Linux as an NIS Master Server

Setting Up Red Hat Linux as an NIS Master Server

To configure your Red Hat Linux system as an NIS master server, you should first configure it as an NIS client (That is, set the NIS domain name, set up /etc/yp.conf, and configure client daemons as described earlier.) Then you create the NIS maps and configure the NIS master server daemon processes (ypserv and rpc.yppasswdd). The next sections describe these procedures.

Note?

If there is a firewall on your NIS server, you must make UDP port 111 (sunrpc) available or NIS clients won't be able to connect to your NIS service. If the computer is also a router, if possible, block access to port 111 outside of your local network.

Creating NIS maps

To create NIS maps so that your Red Hat Linux system can be an NIS master server, start from the /var/yp directory from a Terminal window as root user. In that directory, a Makefile enables you to configure which files are being shared with NIS. The files that are shared by default are listed near the beginning of this chapter and within the Makefile itself.

Choosing files to map

If you don't want to share any file that is set up in the Makefile, you can prevent that file from being built. Do this by finding the following line in the Makefile and simply deleting the file you want excluded:

You may notice that not all the names in the all: line represent the exact filename. For example, netgrp is for the /etc/netgroup file. The files that each name represents are listed a few lines below the all: line in the Makefile. You may also notice that many of the files are already commented out, including the shadow file.

Tip?

The NIS-HOWTO document suggests that using shadow passwords with NIS is "always a bad idea." Options in the Makefile (described in the next section) enable you to automatically merge the shadow and gshadow files into the passwd and group files, respectively.

Choosing mapping options

Within the Makefile, several options are set. You can choose to change these options or leave them as they are. Here are the options:

B= — You can use the B= option to allow NIS to use the domain name resolver to find hosts that are not in the current domain. By default, B= is not set. To turn on this feature, set it to -b (B=-b).

NOPUSH=true — When set to true (the default), the NOPUSH option prevents the maps from being pushed to a slave server. This implies that the NIS master server is the only server for the NIS domain. Set this to false, and place the host names of slave servers into the /var/yp/ypservers file if you do not want the NIS master to be the only server for the domain.

MINUID=500 — To prevent password entries from being distributed for administrative users, the MINUID is set to 500. This assumes that all regular user accounts on the system that you want to share have UIDs that are 500 or above.

MINGID=500 — To prevent password entries from being distributed for administrative groups, the MINGID is set to 500. This assumes that all regular groups that you want to share have GIDs that are 500 or above.

Note?

Tools for adding users and groups to Red Hat Linux always begin with the number 500. Some UNIX and Linux systems, however, may use lower UIDs and GIDs for regular users. In those cases, you may need to lower MINUID and MINGID to below 500, but not below 100 (which always represent administrative logins).

MERGE_PASSWD=true — Keep this option true if you want each user's password to be merged from the shadow file back into the passwd file that is shared by NIS.

MERGE_GROUP=true — Keep this option true if you want each group's password to be merged from the gshadow file back into the group file that is shared by NIS.

To build the NIS maps, your system must have the awk, make, and umask commands. In the Makefile, the locations of these commands are /usr/bin/gawk, /usr/bin/gmake, and umask, respectively. (The umask command is a shell built-in command, so you don't have to look for its location.) You can use comparable commands in different locations by changing the values of the AWK, MAKE, and UMASK variables in the Makefile.

Besides the options just mentioned, there are several variables you can set to change the location of NIS files. For example, the locations of password files (YPPWDDIR) and other source files (YPSRCDIR) are both set to /etc by default. The location of YP commands (YPBINDIR) is set to /usr/lib/yp. If you want to change the values of these or other variables, you can do so in the Makefile.

Defining NIS client access

Add the IP addresses of the client computers that are allowed access to your NIS maps to the /var/yp/securenets file. By default, any computer on any network that can reach your NIS master can have access to your maps (which is not a secure situation). So, it is important that you configure this file. IP numbers can be given in the form of netmask/network pairs. For example:

255.255.255.0 10.0.0.0

This example enables access to your NIS master server maps from all computers on network number 10.0.0.

Cross-Reference?

See Chapter 15 for descriptions of IP addresses and netmasks.

Configuring access to maps

In the /etc/ypserv.conf file, you can define rules regarding which client host computers have access to which maps. You can also set several related options. Access rules in the ypserv.conf file have the following format:

host:map:security:mangle[:field]

Asterisks can replace host and map fields to create rules that match any host or map, respectively. The host is the IP address for the network or particular host for which the rule applies. The map is the name of the map for which you are defining access. The security is replaced by none (to always allow access), port (to allow access from a port less than port number 1024), deny (to deny access to this map), or des (to require DES authentication).

The mangle is replaced by yes or no (to indicate if a field in the map should be replaced by an x if a request comes from an unprivileged host). If the mangle is set to yes, field is replaced by the name of the field that should be mangled (the second field is used by default).

The following options can be set in the ypserv.conf file:

dns — If yes (dns: yes), NIS will query the TCP/IP name server for host names when host names are not found in maps. By default, dns:no is set.

xfr_check_port — If yes (xfr_check_port:yes), the NIS master server must run on a port that is less than port number 1024. If no, any port number may be used. By default, this is set to yes.

If you make changes to the /etc/ypserv.conf file, the ypserv daemon will pick up those changes the next time your system reboots (or the ypserv service restarts). Alternatively, you can have ypserv read the contents of the file immediately by sending the ypserv process a SIGHUP signal. Removing the comment character (#) from the following line in /etc/ypserv.conf allows all hosts access to all maps:

* : * : * : none

Generating the NIS map database

To install and build the NIS database, run the ypinit command. To start the ypinit program, type the following:

# /usr/lib/yp/ypinit –m
next host to add: maple
next host to add:

The ypinit command should automatically choose your host name to use as an NIS server. After that, it asks you to add slave servers. Add one at a time; then press Ctrl+D after you have entered your last slave server. Verify that the list of NIS servers is correct (type y). (Remember that slave servers are not required.)

The database is built at this point. A new directory that has the name of your NIS domain is created in /var/yp. For example, if your NIS domain name is trident, the directory is /var/yp/trident. All maps built are then placed in that directory.

Adding NIS slave servers

In Red Hat Linux, NIS is configured by default to have a master NIS server and no slave NIS servers. You can allow your NIS maps to be pushed to one or more slave servers by setting NOPUSH=false in the /var/yp/Makefile file. After that, you need to add the names of the slave servers to your /var/yp/ypservers file. You can either add the host names manually or have them added automatically when you run the ypinit command later.

Configuring NIS server daemons

The NIS server must be running several daemon processes to be an NIS server. Red Hat Linux supplies run-level scripts that you can configure to start NIS server daemon processes. These scripts, located in the /etc/init.d directory, include the following:

ypserv — This script starts the ypserv (/usr/sbin/ypserv) daemon. It reads information from the /etc/ypserv.conf file to determine what to do. Then it listens for requests from NIS client computers on the network.

yppasswdd — This script starts the rpc.yppasswdd (/usr/sbin/rpc.yppasswdd) daemon. This daemon handles requests from users on NIS client computers who want to change their user passwords.

Unless you requested that these scripts be configured to start at boot time when you installed Red Hat Linux, they will not start automatically. You can use the following chkconfig command to set ypserv and yppasswdd scripts to start automatically at boot time.

# chkconfig ypserv on
# chkconfig yppasswdd on

If you want to start the services immediately, you can type the following:

# /etc/init.d/ypserv start
# /etc/init.d/yppasswdd start

The NIS master server should be up and running. If there are any NIS slave servers, you should configure them now.